Blog + Noticias

Han Santos Privacy Round Up – February 2021
Overview
February heralded a slew of new federal and state-driven privacy and Data protection laws, as well as three key events that have implications on data breach protocols and social media privacy.
Noteworthy Events
Technology Areas of Interest
Facebook's $650M BIPA Settlement
- Class action settlement over violations of the Illinois’ Biometric Information Privacy Act
- The lawsuit stated that Facebook’s practice of tagging people in photos using facial recognition without their consent violated state law
- Facebook must now set the “Face Recognition” default setting to “off”
- For more information: Facebook’s $650M BIPA settlement ‘a make-or-break moment’ (iapp.org)
Investigative report of Facebook privacy practices
- The report details findings of an investigation into the transmission of sensitive user data by application and website designers to Facebook.
- For more information: NYSDFS: Report on Investigation of Facebook Inc. Data Privacy Concerns - February 18, 2021
Data breach - Elara Caring
- Elara Caring announces a data breach affecting 100,487 patients. The data breach occurred via unauthorized access to a limited number of corporate email accounts in mid-December 2020.
- For more information: Elara Caring • Security Info December 2020
Technology Areas of Interest
Financial technology (PCI (Payment Card Industry) SSC (Security Standards Council))
- Payment Card Industry Security Standards Council (PCI SSC) published Version 1.1 of the PCI Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures
- The PCI Secure SLC expands eligibility beyond payment software vendors including vendors who develop software products for the payment card industry allowing for broader vendor adoption and participation in the Secure SLC Program
- For more information: PCI Secure SLC Standard v1.1 (pcisecuritystandards.org)
USA: NIST Transport Layer Security
- Draft white paper describes, among other things, enterprise challenges associated with compliance, operations, and security when employing encrypted protocols, specifically TLS 1.3 in data centers.
- For more information: Addressing Visibility Challenges with TLS 1.3 (nist.gov)
Cookies
- Mozilla announces new cookie protection feature
- The cookie protection feature confines cookies to the site where they were created, thereby preventing companies from tracking individuals’ browsing activities across websites
- For more information: Firefox 86 Introduces Total Cookie Protection - Mozilla Security Blog
5G Security Controls
- The European Union Agency for Cybersecurity (ENISA) published a report on security controls and 5G in relation to key security controls in 3GPP
- The report highlights encryption of subscriber permanent identifier using a secure protocol on network or transport layer to ensure confidentiality and integrity, as well as implementing authentication
- For more information: https://www.enisa.europa.eu/publications/security-in-5g-specifications/at_download/fullReport
News to Follow this Month as it Unfolds
USA: SEC announces 2021 examination priorities
- The SEC Division of Examinations (DoE) announced its 2021 examination priorities, which include information security and operational resiliency
- For more information: 2021 Examination Priorities Report (sec.gov)
Laws—By State
Alabama
Bill for Consumer Privacy Act introduced in House of Representatives
- The Bill would provide for consumer rights such as the right to access, correct, and delete certain personal data, and opt out of collection and use of personal data.
- The bill provides for enforcement by the Attorney General (no private right of action)
- For more information: HB216-int.pdf (state.al.us)
Florida
Bill for the Florida Privacy Protection Act introduced in State House
- Establishes new definitions including biometric information, de-identified information, personal information, and profiling
- Notably the Bill establishes a private right action against businesses who violate any of the provisions
- For more information: Senate Bill 1734 (2021) - The Florida Senate (flsenate.gov)
Illinois
Bill for Consumer Privacy Act introduced to Assembly
- Bill passed its first reading and has been referred to the Rules Committee
- For more information: Illinois General Assembly - Full Text of HB3910 (ilga.gov)
Bill for Right to Know Act introduced to Assembly
- Bill requires, among others, that the operator of a commercial website or online service, provide notice to individual customers living in Illinois, of personal information sharing practices
- For more information: Illinois General Assembly - Full Text of HB2404 (ilga.gov)
Massachusetts
Petition filed with State Senate for bill on Mass. Information Privacy Act
- The Information Privacy Act would, among other things, define an automated decision system and biometric information and its exclusions, establish biometric and location information protections, and establish provisions for enforcement and penalties
- For more information: Bill SD.1726 (malegislature.gov)
Minnesota
Bill reestablishing privacy commission introduced in State House
- Commission is aimed at studying government data practices and review personal data privacy rights and legislation impacting data practices, data security, and personal data privacy.
- In enacted, the Commission will be made by 1 June 2021
- For more information: HF 1488 Status in the House for the 92nd Legislature (2021 - 2022) (mn.gov)
Vermont
Bill for Consumer Protection in Data and Technology Act introduced in State House of Representatives
- Bill proposes to enhance levels of consumer consent, protection, and transparency throughout the technology industry, to promote consumer protection in data and technology.
- For more information: Draft Bill Template (vermont.gov)
Bill for protection of consumers and genetic information introduced in State House of Representatives
- The Bill proposes to protect consumer privacy by requiring that a business that collects genetic data from a consumer to provide ancestry or similar information protects the data and keeps it confidential
- For more information: hj210210.pdf (vermont.gov)
Bill for Consumer Data Privacy Act introduced in House of Representative
- Bill proposes to adopt consumer privacy protections, provide more control over the amount and type of data collected, and adopt other protections equivalent to those provided by the CCPA (California Consumer Protection Act)
- For more information: Draft Bill Template (vermont.gov)
Virginia
Governor signs the Consumer Data Protection Act (CDPA) into law
- The CDPA will enter into force on 1 January 2023.
- For more information: https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+HB2307ER
Washington
Washington Privacy Act passes State Senate
- The bill for the Washington Privacy Act passed on March 3, 2021. The bill is now in the house “in committee.”
- For more information: 5062.pdf (wa.gov)
Laws—International
Australia
Parliament passes news media and digital platforms bargaining code
- The code aims to address the bargaining power imbalance between news media businesses and digital platforms and ensure that businesses are renumerated for the content they generate
- For more information: Treasury Laws Amendment (News Media and Digital Platforms Mandatory Bargaining Code) Bill 2021 – Parliament of Australia (aph.gov.au)
Europe
UK (United Kingdom) adequacy decision
- Commission highlighted that it has assessed the UK’s law and practice on personal data protection, and concluded that the UK ensures an equivalent level of protection under the GDPR (General Data Protection Regulation) and the Law Enforcement Directive
- For more information: Press corner | European Commission (europa.eu)
EU commission addresses data flows in trade strategy
- Trade strategy that prioritizes new rules for digital trade
- Strategy seeks to ensure that businesses can benefit from the international free flow of data in full compliance with EU data protection rules
- For more information: Press corner | European Commission (europa.eu)
International
Joint advisory on malicious cyber actors targeting Accellion FTA (File Transfer Appliance) customers
- Relevant agencies within the UK, Singapore, Australia, and New Zealand published a joint advisory with recommended mitigation measures against cyber attacks leveraging vulnerabilities to target Accellion FTA customers.
- For more information: Accellion Provides Update to Recent FTA Security Incident | Accellion
Background & About the Team
The Han Santos Privacy Round up is a compellation of current events, recent laws and technologies that impact or implications on corporate privacy and cybersecurity that may impact your business. The Privacy Practice is comprised of Attorneys Alan Thieman and Donna McPartland.
About the Firm
Han Santos is a full-service, minority-owned, law firm, representing companies from formation to exit. The core counseling team includes highly skilled technical, business, and operating professionals that have gone on to become legal experts. This allows Han Santos to provide high-quality, agile counsel to companies in all stages of growth and operation, as well as all aspects of their Corporate, Securities, Privacy, and Intellectual Property Matters.
INDIVIDUAL ARTICLE DISCLAIMER: